Permalink
Browse files

SECOAUTH-388: apply ClientCredentialsTokenEndpointFilter only if not …

…already authenticated
  • Loading branch information...
1 parent 6176757 commit 41be0b69c97a9cd6929e01a4f1afdb72678ae99b @dsyer dsyer committed Jan 31, 2013
View
2 samples/oauth2/sparklr/src/main/webapp/WEB-INF/spring-servlet.xml
@@ -17,7 +17,7 @@
<anonymous enabled="false" />
<http-basic entry-point-ref="clientAuthenticationEntryPoint" />
<!-- include this only if you need to authenticate clients via request parameters -->
- <custom-filter ref="clientCredentialsTokenEndpointFilter" before="BASIC_AUTH_FILTER" />
+ <custom-filter ref="clientCredentialsTokenEndpointFilter" after="BASIC_AUTH_FILTER" />
<access-denied-handler ref="oauthAccessDeniedHandler" />
</http>
View
15 ...springframework/security/oauth2/provider/client/ClientCredentialsTokenEndpointFilter.java
@@ -23,6 +23,7 @@
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.oauth2.common.exceptions.BadClientCredentialsException;
import org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint;
import org.springframework.security.web.AuthenticationEntryPoint;
@@ -40,17 +41,17 @@
*
*/
public class ClientCredentialsTokenEndpointFilter extends AbstractAuthenticationProcessingFilter {
-
+
private AuthenticationEntryPoint authenticationEntryPoint = new OAuth2AuthenticationEntryPoint();
public ClientCredentialsTokenEndpointFilter() {
this("/oauth/token");
}
-
+
public ClientCredentialsTokenEndpointFilter(String path) {
super(path);
}
-
+
/**
* @param authenticationEntryPoint the authentication entry point to set
*/
@@ -85,8 +86,14 @@ public Authentication attemptAuthentication(HttpServletRequest request, HttpServ
String clientId = request.getParameter("client_id");
String clientSecret = request.getParameter("client_secret");
+ // If the request is already authenticated we can assume that this filter is not needed
+ Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
+ if (authentication != null && authentication.isAuthenticated()) {
+ return authentication;
+ }
+
if (clientId == null) {
- return null;
+ throw new BadCredentialsException("No client credentials presented");
}
if (clientSecret == null) {

0 comments on commit 41be0b6

Please sign in to comment.